Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["# Quickstart: Build applications and view security insights\n\nBuild an application and view security insights\n===============================================\n\nThis quickstart explains how to build an application and view security insights\nfor the build in the **Security insights** panel in the Google Cloud console.\n\nYou will:\n\n- Build and containerize a Java application using Cloud Build and push the container image to Artifact Registry Docker repository.\n- View the following security insights for the build:\n\n - **[Supply-chain Levels for Software Artifacts (SLSA)\n level](https://slsa.dev/spec/v0.1/levels)**, which identifies the maturity level of your software build process in accordance with the SLSA specification .\n - **Vulnerabilities** in build artifacts.\n - **Software bill of materials (SBOM)** for the build artifacts.\n - **Build provenance**, which is a collection of verifiable metadata about a build. It includes details such as the digests of the built images, the input source locations, the build toolchain, build steps, and the build duration.\n\nBefore you begin\n----------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n- [Create or select a Google Cloud project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n - Create a Google Cloud project:\n\n ```\n gcloud projects create PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with a name for the Google Cloud project you are creating.\n - Select the Google Cloud project that you created:\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud project name.\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud Build, Artifact Registry, and Container Scanning APIs:\n\n\n ```bash\n gcloud services enable cloudbuild.googleapis.com artifactregistry.googleapis.com containerscanning.googleapis.com\n ```\n\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n- [Create or select a Google Cloud project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n - Create a Google Cloud project:\n\n ```\n gcloud projects create PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with a name for the Google Cloud project you are creating.\n - Select the Google Cloud project that you created:\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud project name.\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud Build, Artifact Registry, and Container Scanning APIs:\n\n\n ```bash\n gcloud services enable cloudbuild.googleapis.com artifactregistry.googleapis.com containerscanning.googleapis.com\n ```\n\n\u003cbr /\u003e\n\nPrepare your environment\n------------------------\n\n1. Set your project ID as an environment variable:\n\n export PROJECT_ID=$(gcloud config get project)\n\n2. Clone the repository that contains the Java code sample to build and\n containerize:\n\n git clone https://github.com/googlecloudplatform/software-delivery-shield-demo-java.git\n cd software-delivery-shield-demo-java/backend\n\nCreate the Artifact Registry repository for your image\n------------------------------------------------------\n\n1. Create a new Docker repository named `containers` in the location\n `us-central1` with the description \"Docker repository\":\n\n gcloud artifacts repositories create containers \\\n --repository-format=docker \\\n --location=us-central1 --description=\"Docker repository\"\n\n2. Verify that your repository was created:\n\n gcloud artifacts repositories list\n\n You should see `containers` in the list of displayed repositories.\n\nBuild the application\n---------------------\n\nBuild and containerize the Java application using Cloud Build.\nThe following command builds and containerizes the Java application and\nstores the built container in the Artifact Registry docker repository: \n\n gcloud builds submit --config=cloudbuild.yaml --region=us-central1\n\nAfter the build completes, you see a success status message similar to the\nfollowing: \n\n \u003cpre class=\"none lang-sh\"\u003e\n DONE\n -----------------------------------------------------------------------------\n ID: 3e08565f-7f57-4449-bc68-51c46cf33d03\n CREATE_TIME: 2022-09-19T15:41:07+00:00\n DURATION: 54S\n SOURCE: gs://sds-docs-project_cloudbuild/source/1663602066.777581-6ebe4b2d6fd741ffa18936d7f78055e9.tgz\n IMAGES: us-central1-docker.pkg.dev/sds-docs-project/containers/java-guestbook-backend:quickstart\n STATUS: SUCCESS\n \u003c/pre\u003e\n\nGenerate an SBOM for the built image\n------------------------------------\n\nAn SBOM is a full inventory of an application, identifying the packages\nyour software relies on. The contents can include third-party software from\nvendors, internal artifacts, and open source libraries.\n\nGenerate the SBOM for the image you built in the previous section: \n\n gcloud artifacts sbom export \\\n --uri=us-central1-docker.pkg.dev/${PROJECT_ID}/containers/java-guestbook-backend:quickstart\n\nView security insights\n----------------------\n\nThe Cloud Build UI in the Google Cloud console contains the\n**Security insights** panel that displays security information related to the\nbuild such as SLSA level, any vulnerabilities in the dependencies, and build\nprovenance.\n\nTo view the **Security insights** panel:\n\n1. Open the **Build history** page in the Google Cloud console:\n\n [Open the Build history page](https://console.cloud.google.com/cloud-build)\n2. Select your project and click **Open**.\n\n3. In the **Region** drop-down menu, select **us-central1**.\n\n4. In the table with the builds, locate the row with the build you just\n executed.\n\n5. Under the **Security insights** column click **View**.\n\nYou see the **Security insights** panel for the build:\n\nThis panel displays the following information:\n\n- **SLSA Level:** This build has achieved SLSA Level 3. Click the **Learn\n more** link to learn what this security level means.\n\n- **Vulnerabilities:** Any vulnerabilities found in your artifacts. Click the\n image name (**java-guestbook-backend**) to see the artifacts that have been\n scanned for vulnerabilities.\n\n- **Dependencies** for the built container image in Artifact Registry.\n\n- **Build details:** Details of the build such as the builder and the link to\n view logs.\n\nClean up\n--------\n\n\nTo avoid incurring charges to your Google Cloud account for\nthe resources used on this page, delete the Google Cloud project with the\nresources.\n\n1. Disable Container Scanning API:\n\n gcloud services disable containerscanning.googleapis.com --force\n\n2. Delete the Artifact Registry repository:\n\n gcloud artifacts repositories delete containers \\\n --location=us-central1 --async\n\n You have now deleted the repository that you created as part of this\n quickstart.\n\nWhat's next\n-----------\n\n- Learn more about the [security insights panel in\n Cloud Build](/build/docs/view-build-security-insights)\n- Learn how to [view security insights when deploying to Cloud Run](/software-supply-chain-security/docs/quickstarts/deploy-run-view-security-insights)\n- Learn how to [view security insights when deploying to GKE](/software-supply-chain-security/docs/quickstarts/deploy-gke-view-security-insights)\n- Learn more about [software supply chain security](/software-supply-chain-security/docs/overview)"]]
